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DETAILED ACTION 

1 . This action is in response to the amendment filed on May 7 th , 2007. Claims 1-3, 5-9, 11- 
13, 15-18, 20, 22, 23 and 29-32 have been amended, claims 1-32 are pending and have been 
considered below. 

Response to Amendment 

2. The amendment filed on May 7 th , 2007 has been considered but is ineffective to 
overcome the Guthrie et al. (6,161,185) and Hashiguchi (6,615,353) references. 

Specification 

3. The amendments to the specification filed on May 7 th , 2007 have been considered and 
effectively overcome the previous objections. Therefore, the objections are withdrawn. 

Claim Rejections - 35 USC § 112 

4. The amendments to claims 1-3, 7, 8, 1 1-15, 18, 20, 23 and 29 have been considered and 
effectively overcome the previous rejections. Therefore, the rejections are withdrawn. 

5. The following is a quotation of the first paragraph of 35 U.S.C. 1 12: 

The specification shall contain a written description of the invention, and of the manner and process of making 
and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it 
pertains, or with which it is most nearly connected, to make and use the same and shall set forth the best mode 
contemplated by the inventor of carrying out his invention. 

6. Claims 1 1 and 12 are rejected under 35 U.S.C. 1 12, first paragraph, as failing to comply 
with the written description requirement. The claim(s) contains subject matter which was not 
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described in the specification in such a way as to reasonably convey to one skilled in the relevant 
art that the inventor(s), at the time the application was filed, had possession of the claimed 
invention. The examiner notes that in the amendments to claims 1 1 and 12, the applicant 
discloses, "the password is known to a user of the remote device only", which is not supported 
by the original disclosure. The examiner further notes that the applicant's original specification 
explicitly discloses on page 12, lines 14-15, "a password or access code which is not known to a 
user of a remote device." 

Claim Rejections - 35 USC § 102 

7. The amendment to claims 30 and 32 have been considered and effectively overcome the 
previous rejections. Therefore, the rejections are withdrawn. 

Claim Rejections - 35 USC § 103 

8. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

9. Claims 1-19 and 24-32 are rejected under 35 U.S.C. 103(a) as being unpatentable oyer 
Guthrie et al. (6,161,185). 

Claim 1: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices comprising: 
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a. an authentication information store(user account database) configured to store 
authentication information for a plurality of users (database includes tables of users accounts, 
including account IDs) [column 5, lines 35-42]; 

b. an authentication system configured to receive a request for authentication 
informationfwser provides an account identifier and corresponding account password to initially 
log on to or access the server) for one of the plurality of users from a remote device 
computer) [column 4, lines 3-16]; 

c. wherein the request comprises identity informationfaccowftf identifier) for use in 
determining whether the request is from one of the plurality of users (compares the received user 
account ID to a user account table) [column 4, lines 3-5 & column 8, lines 1-2]; 

d. wherein the authentication system retrieves based on the identity informationfkser 
account ID) the authentication informationfkser account table) for the one of the plurality of 
users from the authentication information sXovz(user account database) [column 7, lines 64-66]; 
However, Guthrie et al. does not explicitly disclose that the retrieved authentication information 
is provided to the remote device. Nonetheless, it would have been obvious to one of ordinary 
skill in the art at the time of invention to send the authentication information back to the remote 
device. One would have been motivated to do so in order to conserve processor resources on the 
server by sending the authentication information to the remote device and performing the 
authentication process locally on the remote device. 

Claim 2: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 1 above and further discloses that the authentication information is 
used in a two-factor authentication system [column 4, lines 1-8]. 
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Claim 3: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 1 above and further discloses that the authentication information 
store(account user database) comprises a seed store configured to store a plurality of seeds^/ze 
serial number and SADB password are stored in the user } s account table in the user account 
database), wherein the authentication system is configured to receive a request^ client then 
transmits the response produced by the client SADB calculator to the server) from the remote 
device, to retrieve the one of the plurality of seeds from the seed store, to calculate an access 
code using the retrieved seedfusing the same serial number, SADB password and challenge, both 
the client and server SADB calculators should produce the same response), to determine whether 
the calculated access code matches the received access codz(the server compares its internally 
generated response with the response received by the client), but does not explicitly disclose that 
the retrieved seed is returned to the remote device if the access code matches the received access 
code [column 6, lines 65-67 & column 7, lines 1-9]. Furthermore, Guthrie et al. does not 
explicitly disclose that the request is a seed request. However, it would have been obvious to 
one of ordinary skill in the art at the time of invention to employ a seed request and return the 
retrieved seed to the remote device. One would have been motivated to do so in order to 
establish a successful authentication and to ensure that the seed value is not used again. This 
would provide enhanced security in the authentication system. 

Claim 4: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 1 above but does not explicitly disclose that the request comprises a 
Hypertext Transfer Protocol(HTTP) connection request. However, Guthrie et al. discloses that 
the server includes a TCP/IP based web server that provides to the client several hypertext 
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markup language(HTML) pages or other displayable screens to the user so that the client can 
interact with the server via several HTML pages [column 14, lines 4-13]. Therefore, it would 
have been obvious to one of ordinary skill in the art at the time of invention to use an HTTP 
connection for displaying HTML pages. 

Claim 5: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 1 above and further discloses that the request comprises a network 
password(account password) and a digital signature(response generated with secured hashing 
algorithm), but does not explicitly disclose that the network password and digital signature are 
verified by the authentication system before the authentication information is provided to the 
remote device [column 6, lines 14-17]. However, it would have been obvious to one of ordinary 
skill in the art at the time of invention that one would first verify the user before sending 
authentication information back to the remote device. One would be motivated to do so in order 
to maintain a higher level of security within the system. 

Claim 6: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 1 above and further discloses that the identity informationfkyer 
account ID) comprises user information and account \nforrmX\on(associated with a number of 
designations or code indicating that the account corresponds to that of a system administrator or 
other account having high priorities) [column 7, lines 54-59]. 

Claim 7: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 6 above and further discloses that the identity information^er 
account ID) identifies a particular user and corresponding authentication information being 
requested (the server retrieves the corresponding user account table in the user account database 
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which corresponds to the user account ID), and is used by the authentication system to 
authenticate the user requesting the authentication information^^ server retrieves a user 
account table and compares the received user account ID to the user account ID data record) 
[column 7, lines 64-67 & column 8, lines 1-2]. 

Claim 8: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 1 above and further discloses that the authentication information in 
the request is used by the remote device for two-factor authentication [column 4, lines 1-8]. 
Claim 9: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 8 above and further discloses that the identity information comprises 
a network pass wordier password) entered by the user of the remote device and a digital 
signature generated based on a transformation of at least a portion of the information in the 
request, a signature key (serial number), and a signature d\gox\Xhm(SADB password and 
challenge data input together with the serial number to a secure hashing algorithm) [column 6, 
lines 14-17], 

Claim 10: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 1 above and further discloses that the authentication system does not 
provide the authentication information to the remote device because a match was not found in 
the authentication information store based upon the identity information [Figure 7A]. The 
examiner notes that ending the process if a match is not found is equivalent to not providing the 
authentication information to the remote device. 

Claim 11: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 1 above and farther discloses that the authentication information 
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comprises a password(X4ZXB password) which is required for remote access to resources in the 
computer hetwork(?/*e server provides the client with a message indicating whether the 
authentication succeeded or failed, and enables appropriate access if successful) [column 15, 
lines 53-57 & column 7, lines 29-45]. 

Claim 12: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 1 above and further discloses an access cofe(response) which is 
required for remote access to resources in the computer network^ server provides the client 
with a message indication whether the authentication succeeded or failed, and enables 
appropriate access if successful), but does not explicitly disclose that the access code is 
contained within the authentication information [column 7, lines 10-44]. However, it would 
have been obvious to one of ordinary skill in the art at the time of invention to include the access 
code in the authentication information or any other information that is required for 
authentication. One would have been motivated to do so in order to verify that the access has 
been granted to the user. 

Claims 13-16: Guthrie et al. discloses a system for distributing authentication information to 
users of remote devices as in claim 1 above and further discloses that the retrieved authentication 
information comprises an expiring passwordfaccow/tf passwords expire after a select period of 
time, typically a few weeks) and access code(the response generated by the client's calculator is 
invalid after a short period of time) [column 4, lines 35-39]. However, Guthrie et al. does not 
explicitly disclose that the passwords can be set to not expire and that the password is stored in a 
protected data store on the remote device. Nonetheless, it would have been obvious to one of 
ordinary skill in the art at the time of invention to set the passwords to not expire. One would 
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have been motivated to do so in order to reduce the amount of lost passwords amongst the users. 
Official Notice is taken that it is old and well known within the cryptographic arts to store 
frequently used passwords in a protected database on the remote device. For example, the 
Microsoft Internet Explorer® web browser offers it's user the option of storing a password in a 
protected database, located in the user's local disc drive, when logging into a password protected 
website. Therefore, it would have been obvious to one of ordinary skill in the art at the time of 
invention to store the password in a protected data store on the remote device. 
Claim 1 7: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 1 above and further discloses that the retrieved authentication 
information comprises a seed(serial number) from which access codes are to be generated by the 
remote device, wherein the seed is stored on the remote device (the serial number is stored 
internally in the client SADB calculator), but does not explicitly disclose that the seed is stored 
in a protected data store [column 5, lines 64-67], However, it would have been obvious to one of 
ordinary skill in the art to store the seed in a protected data store. One would have been 
motivated to do so in order to prevent the seed from being compromised. 

Claim 18: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 1 above and further discloses that the retrieved authentication 
information is used by the remote device to gain accessfr/ze present invention authenticates a 
user of the client to permit the user access to the server, as well as access to any resources on 
the server) to a corporate local area network(LAN)(^/*e present invention includes an internal 
network coupled to the server. The internal network may be a corporate internal network, such 
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as corporate intranet. Additionally, network resources are coupled to the server.) [column 4, 
lines 60-64 & column 5, lines 7-12]. 

Claim 19: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 1 8 above and further discloses that two-factor authentication is used 
in the LAN to authenticate a user requesting remote access to the LAN, wherein the retrieved 
authentication information is used in performing two-factor authentication in order to gain access 
to the LAN [column 4, lines 1-8]. 

Claim 24: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 1 above and further discloses that the user may use a mobile 
communication device(pa/w top computer) to access the server, but does not explicitly disclose 
that the mobile device is wireless [column 6, lines 1-3]. However, it would have been obvious to 
one of ordinary skill in the art at the time of invention to use a wireless mobile communication 
device. One would have been motivated to do so in order to increase the portability of the 
mobile device. 

Claim 25: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 24 above and further discloses that the remote device(client) stores 
the authentication informationfier/a/ number) in a data store (client computer downloads of copy 
of the SADB calculator and the serial number is stored internally in the client SADB calculator) 
[column 5, lines 48-67]. 

Claims 26 and 27: Guthrie et al. discloses a system for distributing authentication information to 
users of remote devices as in claim 25 above, but does not explicitly disclose how the data store 
is implemented. However, it would have been obvious to one of ordinary skill in the art at the 
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time of invention to implement the data store on either a smart card or USB token or any other 
form of data storage. One would have been motivated to use either form of data storage 
depending on the constraints of the remote device. 

Claim 28: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 1 above and further discloses that the remote device is a desktop 
computer [column 3, lines 53-55]. 

Claim 29: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 1 above and further discloses that the remote device communicates 
with the authentication system over a communication system [column 4, lines 65-66]. 
Claim 30: Guthrie et al. discloses a method for distributing authentication information for 
remotely accessing computer resources, comprising: 

a. receiving a request for the authentication information from a remote device, the 
request comprising identity information of a user of the remote devicefkser provides an account 
identifier and corresponding account password to initially log on to or access the server) 
[column 4, lines 3-16]; 

b. wherein the authentication 'mformai\ovi(database includes tables of users accounts, 
including account IDs) is stored in an authentication data storefkser account database) [column 
5, lines 35-42]; 

c. authenticating the user based on the identity information in the req\xest(validates the 
user account and password against the user 's account table stored in the user account database) 
[column 7, lines 19-21]. 
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However, Guthrie et al. does not explicitly disclose returning the authentication information to 
the remote device so that the remote device may access the computer resources based upon the 
returned authentication information. Nonetheless, it would have been obvious to one of ordinary 
skill in the art at the time of invention to send the authentication information back to the remote 
device. One would have been motivated to do so in order to conserve processor resources on the 
server by sending the authentication information to the remote device and performing the 
authentication process locally on the remote device. 

Claim 31: Guthrie et al. discloses an apparatus for handling authentication information for users 
of remote devices, comprising: 

a. an authentication information storefuser account database) configured to store 
authentication information for a user of a remote device, the authentication information provided 
by a remote authentication system [column 5, lines 35-42]; 

b. a request for the authentication information from the remote device to the remote 
authentication system contains identity information^^/* provides an account identifier and 
corresponding account password to initially log on to or access the server) [column 4, lines 3- 
16]; 

c. a code generation systcm(SADB calculator) configured to retrieve the authentication 
information(7wY/a/ data includes a serial number and SADB password) stored in the 
authentication information storefthe serial number and SADB password are stored in the user 's 
account table in the user account database) [column 6, lines 14-20 & lines 65-67]; 
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d. access information is generated based upon the retrieved authentication information 
and is used in accessing a remote computer networkfBy employing the serial number, SADB 
password and challenge, the SHA generates a unique response) [column 6, lines 21-23]. 
However, Guthrie et al. does not explicitly disclose that the authentication information that is 
stored in a data store by the remote authentication system is provided to the remote device after 
the request is processed based upon the identity information contained in the request. 
Nonetheless, it would have been obvious to one of ordinary skill in the art at the time of 
invention to send the authentication information back to the remote device. One would have 
been motivated to do so in order to conserve processor resources on the server by sending the 
authentication information to the remote device and performing the authentication process 
locally on the remote device. 

Claim 32: Guthrie et al. discloses a method for obtaining authentication information for 
remotely accessing a computer network, comprising: 

a. providing a request from a user of a remote device to an authentication system for the 
authentication information that is stored in a data store by the authentication system(user 
provides an account identifier and corresponding account password to initially log on to or 
access the server) [column 4, lines 3-16]; 

b. the request comprises identity information for use by the authentication system to 
authenticate the user based on the identity information provided in the requestfvalidates the user 
account and password against the user 's account table stored in the user account database) 
[column 7, lines 19-21]. 
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However, Guthrie et al. does not explicitly disclose receiving by the remote device the 
authentication information from the authentication system, wherein the received authentication 
information is to be used by the remote device to access the computer network. Nonetheless, it 
would have been obvious to one of ordinary skill in the art at the time of invention to send the 
authentication information back to the remote device. One would have been motivated to do so 
in order to conserve processor resources on the server by sending the authentication information 
to the remote device and performing the authentication process locally on the remote device. 
10. Claims 20-23 are rejected under 35 U.S.C. 103(a) as being unpatentable over Guthrie et 
al (6,161,185) in view of Hashiguchi (6,615,353). 

Claim 20: Guthrie et al. discloses a system for distributing authentication information to users of 
remote devices as in claim 19 above and further discloses that the retrieved authentication 
information comprises a seedfthe serial number and SADB password are stored in the user 's 
account table in the user account database) used to produce an access code(using the same 
serial number, SADB password and challenge, both the client and server SADB calculators 
should produce the same response), wherein the access code(response) is used by the remote 
device to gain access to the LAN; wherein the seed is used by the authentication systemfserver) 
to also generate an access code for use in comparison with the access code generated by the 
remote device; wherein the access to the LAN is granted based upon the comparison;?/^ server 
provides the client with a message indicating whether the authentication succeeded or failed, 
and enables the appropriate access if successful), but does not disclose that the access code is 
also based upon a value provided by the remote device's clock [column 6, lines 65-67 & column 
7, lines 1-9 & column 7, lines 41-44]. However, Hashiguchi discloses a similar system for 
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distributing authentication information to users of remote devices that further discloses the 
access codzfauthentication code) is based upon a value provided by the remote device's 
c\ock(authentication code is generated using parameters stored on the floppy disk which include 
a date and time of the last access by the client) [column 4, lines 1 1-29]. Therefore, it would have 
been obvious to one of ordinary skill in the art at the time of invention to base the access code off 
a clock value of the remote device in the system disclosed by Guthrie et al. One would have 
been motivated to include the clock value in order to increase the level of security with in the 
authentication system. 

Claim 21: Guthrie et al. and Hashiguchi disclose a system for distributing authentication 
information to users of remote devices as in claim 20 above and Guthrie et al. further discloses 
that after the user of the remote device(client) initiates a request for access to the LAN, the 
authentication system(server) sends a challenge to the remote device, wherein the remote device 
responds by generating an access codz(response) and sends it back to the authentication 
system(server) [column 7, lines 10-45]. While it is not explicitly disclosed that the remote 
device only generates the access code when access to the LAN is requested, it would have been 
obvious. One would have been motivated to so do to preclude storing access codes on the 
remote device, thus decreasing the chance of compromise. 

Claim 22: Guthrie et al. and Hashiguchi disclose a system for distributing authentication 
information to users of remote devices as in claim 20 above and Guthrie et al. further discloses 
that the authentication information store (user account database) comprises an index by user 
x\amz(includes tables of users accounts, including account IDs) that indicates users authorized 



Application/Control Number: 1 0/730, 1 83 Page 1 6 

Art Unit: 2135 

for remote access to the LAN [column 5, lines 35-37]. The examiner notes that it is inherent the 
index of user names indicate users who are authorized for remote access. 
Claim 23: Guthrie et ah and Hashiguchi disclose a system for distributing authentication 
information to users of remote devices as in claim 22 above and Guthrie et al. further discloses 
that the retrieved authentication information includes a seed(serial number) from which access 
codcs(response) are to be generated (using the serial number, SADB password and challenge, 
both the client and server SADB calculators should produce the same response) [column 5, lines 
64-67 & column 7, lines 1-3]. 



Response to Arguments 

1 1 . Applicant's arguments filed on May 7 th , 2007 have been fully considered but they are not 
persuasive. 

a. Regarding claim 1 , the applicant argues that Guthrie et al. teaches away from the 
sending of sensitive user information(ie. user's password) from a server to a remote device and 
that to do so would violate the teachings of Guthrie et al. . However, the examiner respectfully 
disagrees and notes that Guthrie et al. does in fact discloses sending sensitive user information, 
such as an account password, from the server to a remote device(7//e user receives an account 
password) [column 5, lines 46-47]. Furthermore, the applicant argues that information such as 
an account ID would not be transmitted in Guthrie et al. from the server to the client. However, 
the examiner respectfully disagrees and notes that Guthrie et al. does in fact disclose sending an 
account ID from the server to the c\icnt(the user receives a user account ID) [column 5, lines 46- 
47]. 
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b. Regarding claim 3, the applicant argues that Guthrie et aL does not disclose a request 
from a client to a server, but is actually disclosing a response to a request from the server. 
However, the examiner respectfully disagrees and notes that the response is transmitted to the 
server for the purpose of requesting information(ie. a message indicating whether the 
authentication succeded or failed), which in turn implies that the server is in fact configured to 
receive a request(request for authentication) [column 7, lines 41-44]. 

12. Applicant's arguments with respect to claims 30-32 have been considered but are moot in 
view of the new ground(s) of rejection. 

Conclusion 

13. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 
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Any inquiry concerning this communication or earlier communications from the 



examiner should be directed to Edward Zee whose telephone number is (571) 270-1686. The 



examiner can normally be reached on Monday through Thursday 9:00 AM-5 :00PM EST. 

If attempts to reach the examiner by telephone are unsuccessful, ihe examiner's 
supervisor, Kim Y. Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



EZ 

June 4, 2007 
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